You can use security overview to see which repositories and teams are free from any security alerts and which have unresolved security alerts. The "Security risk" page shows a summary and detailed information on which repositories in an organization or enterprise are affected by security alerts, with a breakdown of alert by severity. You can filter the view to show a subset of repositories using the "affected" and "unaffected" links, the links under "Open alerts", the "Teams" dropdown menu, and a search field in the page header. This view is a great way to understand the broader picture for a repository, team, or group of repositories because you can see security alerts of all types in one view.
You can download a CSV file of the data displayed on the "Security risk" page. This data file can be used for efforts like security research and in-depth data analysis, and can integrate easily with external datasets. For more information, see "
Exporting data from the risk and coverage pages
."
Note:
It's important to understand that all repositories without open alerts are included in the set of unaffected repositories. That is, unaffected repositories include any repositories where the feature is not enabled, in addition to repositories that have been scanned and any alerts identified have been closed.
The information shown by security overview varies according to your access to repositories and organizations, and according to whether GitHub Advanced Security is used by those repositories and organizations. For more information, see "
About security overview
."
-
On GitHub.com, navigate to the main page of the organization.
-
Under your organization name, click
Security
.
-
To display the "Security risk" view, in the sidebar, click
Risk
.
-
Use options in the page summary to filter results to show the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see "
Filtering alerts in security overview
."
- Use the
Teams
dropdown to show information only for the repositories owned by one or more teams.
- Click
NUMBER affected
or
NUMBER unaffected
in the header for any feature to show only the repositories with open alerts or no open alerts of that type.
- Click any of the descriptions of "Open alerts" in the header to show only repositories with alerts of that type and category. For example,
1 critical
to show the repository with a critical alert for Dependabot.
- At the top of the list of repositories, click
NUMBER Archived
to show only repositories that are archived.
- Click in the search box to add further filters to the repositories displayed.
-
Optionally, use the sidebar on the left to explore alerts for a specific security feature in greater detail. On each page, you can use filters that are specific to that feature to refine your search. For more information about the available qualifiers, see "
Filtering alerts in security overview
."
Note:
The summary views ("Overview", "Coverage" and "Risk") show data only for high confidence alerts. Secret scanning alerts for ignored directories and non-provider alerts are all omitted from these views. Consequently, the individual alert views may include a larger number of open and closed alerts.
You can view data for security alerts across organizations in an enterprise. The information shown by security overview varies according to your access to repositories and organizations, and according to whether GitHub Advanced Security is used by those repositories and organizations. For more information, see "
About security overview
."
-
Navigate to GitHub Enterprise Cloud.
-
In the top-right corner of GitHub, click your profile photo, then click
Your enterprises
.
-
In the list of enterprises, click the enterprise you want to view.
-
In the left sidebar, click
Code Security
.
-
To display the "Security coverage" view, in the sidebar, click
Risk
.
-
Use options in the page summary to filter results to show the repositories you want to assess. The list of repositories and metrics displayed on the page automatically update to match your current selection. For more information on filtering, see "
Filtering alerts in security overview
."
- Use the
Teams
dropdown to show information only for the repositories owned by one or more teams.
- Click
NUMBER affected
or
NUMBER unaffected
in the header for any feature to show only the repositories with open alerts or no open alerts of that type.
- Click any of the descriptions of "Open alerts" in the header to show only repositories with alerts of that type and category. For example,
1 critical
to show the repository with a critical alert for Dependabot.
- At the top of the list of repositories, click
NUMBER Archived
to show only repositories that are archived.
- Click in the search box to add further filters to the repositories displayed.
Note:
The summary views ("Overview", "Coverage" and "Risk") show data only for high confidence alerts. Secret scanning alerts for ignored directories and non-provider alerts are all omitted from these views. Consequently, the individual alert views may include a larger number of open and closed alerts.
